Oct 8, 2012

It looks like Anonymous has taken antipiratbyran.se offline. But before the site went completely offline a lotof people saw a "500 Internal Server Error", which also listed the servername plus version: w3bb-h4xxor/1.3.3.7.

So does this mean that the same Anons also have hacked the server? ... Actually not!

First I removed all lines not containing a username and password:
Total lines: 18158 (from 19048)
The I made a list of unique usernames: 7698
And one with unique passwords: 7703

Weird stats? Not really, users are more likely to type their password wrong, than their username (based on my own experience).

And just for fun, I made a list of users trying to login with their mail (list contain duplicates):
Trying to login with mail:
Gmails: 69 times
Hotmails: 64 times
Yahoo: 30 times

But does the usernames and passwords come from RevTT?
Well, look at these passwords:
r3v0lut!0n
PS.0MG_RTT_t0rr3ntz_PLZ_080601;
RTTludixrous
laRTTpw440
dig8talrevtt

Lets just say "probably" ;-)

Based on the strength of multiply of the passwords (e.g. 'PS.0MG_RTT_t0rr3ntz_PLZ_080601;' <-- I fucking like that guy!) and based on many duplicates, many different passwords for the same user, and based on the fact that RevTT has many more users than ~7k, then I conclude that these passwords wasn't bruteforces (from a database full of hashes), but instead probably 'sniffed'. Either someone got access to the server (and added a "save passwords remote/cleartext" to login.php), or maybe RevTT was a victim of MitM? (I've seen this before against torrent trackers). Right now RevTT is forcing https (credit to them!), but what I could read from some of the victims, is that this dump is old, so it might be before RevTT started using https only?